[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[jetty-announce] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800
- From: Greg Wilkins <gregw@xxxxxxxxxxx>
- Date: Tue, 31 May 2016 08:27:15 +1000
- Delivered-to: email@example.com
Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform.
The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed. Â Â Only resources within the webapp are vulnerable.
The issue was fixed in release jetty-9.3.9
, which is available via eclipse download
or in the maven central repository
.Â A work around is also documented in the ocert announcement below. Rewrite rules and/or filters can be installed that disallow URIs containing the \ character.
This vulnerability is an example of an alias vulnerability, where a resource on the file system can be accessed via different names. Â Thus if a security configuration allows all URIs except for specific patterns, then any aliases that bypass the specific patterns can create a security vulnerability.Â Since updates to files systems and/or JVM libraries can (and has) introduced new types of aliases, it is Âgood security practise is to install a deny constraint on all URIs and then selectively allow specific URIs.
The Jetty team would like to acknowledge the assistance of ocert
in finding and handling this issue.